by Pierce Owen, VP, Research & Publishing, SAPinsider About 30% of the SAPinsider Community currently uses business process controls with another 28% implementing and 31% evaluating process control solutions, according to SAPinsider’s “Impact of Cloud and SAP HANA on Enterprise Security Strategy Benchmark Report.” In the case of Pfizer, an American multinational pharmaceuticals company headquartered in New York City with approximately 88,300 employees worldwide, the Manual Control Performance (MCP) capability in SAP Process Control empowered the organization to standardize controls across all sites, centralize, control performance, and perform continuous control monitoring (CCM). SAPinsider recently interviewed Brian Lee, SAP Process Control solutions team lead at Pfizer, to understand how the company implemented MCP for SAP Process Control, standardized and optimized ICOFR controls (Internal Control Over Financial Reporting), and assisted continuous audits.

Audits Required Centralization

As a global organization, Pfizer has offices, plants, and operations in many countries. Business teams in different regions had very similar controls and identical risks, but they used to run reports in very different ways. Some ran spreadsheet-based reports while others had custom applications or inquiry-based checks. When running internal audits, auditors would have to physically visit each site at least once per year and search through on-site documents and spreadsheets or understand the local systems and processes in order to perform their audit. In 2017, Pfizer started implementing SAP Process Control and established a technology group led by Brian to manage it. Pfizer has used SAP Access Control for many years for segregation of duties and user provisioning, but it had an internal push to leverage SAP Process Control to review both automated and manual controls in a centralized way. They wanted to use the CCM functionality to review key configurable settings, programs, transactions, and business rules. “The Finance team heard about SAP Process Control and liked the idea of storing and saving all SOX (Sarbanes Oxley) controls and using SAP Process Control as a central repository for all Pfizer financial controls,” Brian says. After internal discussions, Pfizer’s senior management decided it wanted a single central repository for all process controls rather than dealing with all the locally maintained documents. “Unfortunately, many of Pfizer’s business controls are not automated, but when our management discovered the MCP functionality, they saw opportunities to standardize and centrally govern the controls,” Brian says.

Documenting and Standardizing Controls to Move to Continuous Audits

To leverage the MCP functionality of SAP Process Control, Pfizer had to document and standardize all its manual controls. To do this, a project team started by asking all business units to provide their Risk and Control Matrix (RCM). “We got a bunch of different RCMs from different sites; we decided not to go big bang with this project but go group by group. We went to shared services first because they oversee a lot of processes with teams in six or seven major regions,” Brian says. When the project team discovered all the different reports and custom applications used within the shared services group, they went to work with the shared services business teams documenting and standardizing controls on SAP Process Control. “You need to understand what you’re doing to build controls. We relied heavily on the business teams who know finance and the individual processes,” Brian says. Brian’s team and the business teams worked together to design, standardize, and optimize the RCMs. From there, senior management from the audit, business technology, shared services, and compliance teams created an internal control over the finance and governing board to approve each control and formalize the processes before Brian’s team built them into SAP Process Control. Pfizer implemented SAP Process Control with PricewaterhouseCoopers as its partner. Now, internal audit can continuously monitor control through SAP Process Control and performs quarterly continuous audits in addition to annual audit, allowing them to identify audit issues in a timely manner. “With this capability, we have increased audit test efficiency and empowered them to audit remotely, which is extremely important,” Brian says. MCP in SAP Process Control has also saved the audit team time. With controls standardized across sites, audit can test controls across all sites all at once as opposed to testing each individual site. Pfizer also now has a centralized team for control performance that monitors effectiveness of controls whereas before it had separate control performance teams at each site. “We introduced the MCP functionality because it would require a complicated change management process and generate a significant impact on business community to automate our controls all at once,” Brian says.

What Does This Mean for the SAPinsiders?

Based on our research and the interview with Brian Lee, the following considerations can help the SAPinsider Community better monitor the performance of manual controls:

• Solidify processes and standardize and optimize controls before building them in SAP Process Control. Pfizer found it easy to build controls in SAP Process Control because it spent the time and effort required to standardize the RCMs first.
• Collaborate between control owners and business teams to optimize the RCM. IT professionals rarely have the in-depth process and domain knowledge necessary to build optimized controls by themselves. Lee’s team knew they needed to rely on business teams that knew the processes to optimize the RCM.
• Work with SAP to solve technical issues. Lee’s team found that some aspects of the MCP functionality did not work as advertised the first time they tried to use it, but SAP helped as an integrated partner to resolve all issues in a timely manner.
• Educate end users with demos, training, and accessible help to improve user acceptance. Lee found that many of Pfizer’s business users did not want to change how they work because they believed their controls worked fine. His team worked hard to explain to them the necessity of standardizing and taught them how to navigate and manage controls, attach evidence, and revise work instructions in SAP Process Control so that auditors could easily review evidence at any time.

Following this strategic guidance should help the SAPinsider Community implement SAP Process Control in a way that saves time and money on internal audits while improving control performance. Pierce Owen, Vice President of Research & Publishing, SAPinsider, can be reached at Pierce.Owen@wispubs.com.